Editors

Get Updates via E-mail

Disclaimer

The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

December 22, 2008

Children’s Online Privacy Must be Handled with Kid Gloves

The evidence continues to grow that the FTC is vigilant when it comes to children’s online privacy and is willing to seek large fines to make its point. In the latest settlement involving children’s online privacy, Sony BMG has agreed to pay a $1 million fine to settle various alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). Given the large fines recently assessed by the Commission and the list of well-known companies that the Commission has targeted as COPPA violators, it may well be a good time to assess your own company’s COPPA compliance.

COPPA, which became effective April 21, 2000, was passed in order to prevent unfair and deceptive practices in connection with the collection, use, or disclosure of personal information from and about children under the age of 13 on the internet. The COPPA rule, promulgated by the FTC, spells out what a company must include in their privacy policy, when and how verifiable consent must be obtained from a parent, and what responsibilities an online operator has to protect the privacy of children online. COPPA and the accompanying rule apply to information such as name, home address, email address, telephone number, and other information that would allow someone to contact a child. In addition, the Act and Rule also cover information such as hobbies, interests, and other information that can be collected through cookies or other tracking mechanisms that are tied to identifiable information. The Act and Rule require, among other things, that web-based operators obtain parental consent before collecting, using, or disclosing a child’s personal information. The FTC’s website contains numerous helpful guides on COPPA compliance. CARU, which is part of the Better Business Bureau, also operates an FTC-approved safe harbor program.

Sony BMG Music Entertainment operates over 1,000 websites for various musical artists. The company requires users to submit a range of personal information, along with date of birth, to register for these sites. On 196 of these sites, Sony allegedly collected personal information about 30,000 underage children without first obtaining parental consent. In addition, the FTC alleged, several of the Sony sites permit users to create personal fan pages, music reviews, upload photos or videos, post comments in online forums, and utilize personal messaging; allowing children to interact with users of all ages, including adults.

The FTC issued a complaint against Sony BMG, alleging that the company violated COPPA by failing to provide notice on its websites of what information is collected online about children, how such information is used and disclosed, failing to obtain parental consent, and failing to provide parents with Sony’s information practices and the ability to review the personal information collected from children. Sony’s $1 million penalty matches the highest amount collected for a COPPA case.

On a related note, earlier this week the Network Advertising Initiative, an industry self-regulatory group, released guidelines related to “behavioral advertising” or the monitoring of individual consumer internet activity designed to focus advertising content to individual interest. The guidelines prohibit using behavioral advertising techniques with children under age 13.